If this is your first visit, be sure to
check out the Forum Rules by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Local Admin --> Domain Admin ??

I have been trying to expand my knowledge, so I have set a lab with the following configuration:

Fully Patched Windows 2003 Server (Acting as a domain controller)
Unpatched Client Machine (XP), which is joined to the above domain.

Since I have been able to compromise the client machine, I was able to get the local hashes, and have been able to crack them using rainbow tables. My question is there any possible way to get Domain Passwords.

I have read about "CacheDump" tool, which will get the hashes for the last 10 logged in users (something called MSCash), and have been able to get the hashes. However, seems that these hashes cannot be cracked using rainbow table, as they came in the following format:

have read about "CacheDump" tool, which will get the hashes for the last 10 logged in users (something called MSCash), and have been able to get the hashes. However, seems that these hashes cannot be cracked using rainbow table, as they came in the following format:

You do know that these passwords are much more secure than the LM hashes stored in the SAM file, for starters each of the cached hashes has its own salt added which will make them much more time consuming to crack. I do not know about rainbow tables but they can at least be cracked using John the ripper, here is a good tutorial on this from Irongeek:http://www.irongeek.com/i.php?page=security/cachecrack

You can also use Cain to crack Cache dump passwords. However, I wouldnt give up on the LM hashes. Does your local admin password on the client work on the server? Do any of the user accounts give you access to the server? Try this:http://forums.remote-exploit.org/showthread.php?t=12942

You can also use Cain to crack Cache dump passwords. However, I wouldnt give up on the LM hashes. Does your local admin password on the client work on the server? Do any of the user accounts give you access to the server? Try this:http://forums.remote-exploit.org/showthread.php?t=12942

William

Thanks for the reply. Local Admin password doesn't give me access to the server, nor any users passwords give me access to the server. I am thinking of some sort of privilige escalation (if possible), also I will give a try to john the ripper to crack the m$ cache hashes.

JTR or Cain is the way to go

Originally Posted by l1nuxant_ee

Thanks for the reply. Local Admin password doesn't give me access to the server, nor any users passwords give me access to the server. I am thinking of some sort of privilige escalation (if possible), also I will give a try to john the ripper to crack the m$ cache hashes.

John works well for any password cracking. Cain, albeit slower, also has great cracking abilities for cached passwords, and a rather attractive (in comparison) GUI, if you want to go that route.

Essentially, I'm just repeating what has already been said. Let us now if you have any problems.

Your best bet is going to be token stealing. Incognitio has been built into meterpreter or you can upload the pass the hash toolkit from core.

Any domain users that have logged into the box since reboot, their tokens should be in memory. Once you are local admin or system on the box you can use one of the token passing tool to take that token and become the domain user (hopefully some sort of admin--which wouldnt be too far fetched if you are any sort of server).

Your best bet is going to be token stealing. Incognitio has been built into meterpreter or you can upload the pass the hash toolkit from core.

Any domain users that have logged into the box since reboot, their tokens should be in memory. Once you are local admin or system on the box you can use one of the token passing tool to take that token and become the domain user (hopefully some sort of admin--which wouldnt be too far fetched if you are any sort of server).

Your best bet is going to be token stealing. Incognitio has been built into meterpreter or you can upload the pass the hash toolkit from core.

Any domain users that have logged into the box since reboot, their tokens should be in memory. Once you are local admin or system on the box you can use one of the token passing tool to take that token and become the domain user (hopefully some sort of admin--which wouldnt be too far fetched if you are any sort of server).